Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: penetrating web-based authentication if you know one of theusernames

from [David Corn] Network Security [Permanent Link]
Subject: RE: penetrating web-based authentication if you know one of theusernames
Date: Fri, 20 May 2005 13:10:01 -0500 
I have played with AccessDiver on many occasions; it is a very nice tool.  It 
is very capable at brute forcing web based authentication systems.  I do 
recommend trying it out.  But if a system is not performing login accounting 
they need to rethink there security for online authentication.  There are a 
couple PAM modules for strength assessment, that test for upper and lower case 
length, Look at pam_passwd+.

David Corn
Security Consultant
Covetrix, IT Consulting Group
http://www.covetrix.com
Phone: 214-575-9583 x116
Fax: 214-575-9584
 

-----Original Message-----
From: Pablo Fernández [mailto:newsclient@teamq.info] 
Sent: Wednesday, May 18, 2005 11:13 AM
To: Ølstad, Roger
Cc: pen-test@securityfocus.com
Subject: Re: penetrating web-based authentication if you know one of 
theusernames

First things first, on the disclosed username thing, as you say the only
attack that pops up to my head is a bruteforce attack (assuming that
your web isn't vulnerable to SQL injection). You can easily prevent a
bruteforce attack counting the number of login failures on a particular
user. Paypal does it, Hotmail does it, VNC >= 3.1 does it and many more
too, all you have to do is record the number of login failures since
last proper authentication, if that number reaches to 15 (or 90,
crackers should be reaaaly lucky to get in the first 100 tries) the
account should be blocked and manually reactivated once the user is
validated.

Anyway, don't think your system has been compromised just because a
username has been disclosed, I can also assume you have a username
Roger.Olstad in the host pax.priv.no, but there's not much to with that
(other than a bruteforce attack...).

Now, on the "web-server audit", yes, there's some software capable of
bruteforcing using thread modes, I just read a bit about it, but never
really tested it, it's called AccessDriver. Anyway an script in perl,
bash, php or whatever you want is reaaaally easy to make...

And on the password strength checking there're many ways to do it, you
could try to crack them with john the ripper and a basic dictionary (or
with the -incremental flag). I know PAM has some module for checking
strength too, you could do some research on that as well.

Well, that's it, I think I cover all the topics, just hope this helps a
bit.

Bye!
Pablo Fernández
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: penetrating web-based authentication if you know one of theusernames, David Corn <=
Previous by Date:  looking for a HTTPS redirect tool, Rajeev Kapoor
Next by Date:  Exchange mail server settings - easy dump possible?, Petr . Kazil
Previous by Thread:  looking for a HTTPS redirect tool, Rajeev Kapoor
Next by Thread:  RE: Exchange mail server settings - easy dump possible?, Sullivan Tim P
Indexes:  [Date] [Thread] [Top] [All Lists]